Last updated: May 2024
This Data Processing Addendum (“DPA”) is incorporated into and forms part of the Appcues Terms of Service, Appcues Master Subscription Agreement, or other written agreement between Appcues, Inc. (“Appcues”) and the customer signatory (whether electronic or otherwise) to such agreement (“Customer,” and each such agreement, the “Agreement”) in each case where Appcues Processes any Customer Personal Data as part of performing Services for Customer under the Agreement. As to each Agreement, this DPA is coterminous with such Agreement and shall replace and supersede in its entirety any prior data processing agreement or similar document relating to Processing Customer Personal Data under such Agreement.
1. DEFINITIONS
1.1 “Affiliate” means an entity that owns or controls, is owned or controlled by, or is under common control or ownership with the applicable party, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise.
1.2 “Authorized Affiliate” means any Customer Affiliate that is (a) subject to Data Protection Laws and (b) permitted to use the Services under the Agreement.
1.3 “CCPA” means the California Consumer Privacy Act of 2018, including all laws and regulations implementing or supplementing CCPA.
1.4 “Customer Personal Data” means Personal Data agreed to be received or accessed and Processed by Appcues or a Sub-processor on behalf of Customer or an Authorized Affiliate pursuant to the Agreement, but excluding in all cases Prohibited Data.
1.5 “Data Protection Laws” means GDPR and CCPA, as and to the extent applicable.
1.6 “EU-US Data Privacy Framework” or “DPF” means the EU-US and/or Swiss-US Data Privacy Frameworks and/or the UK Extension to the EU-US Data Privacy Framework, as applicable, and their respective successor frameworks, if any, as and when approved (or reinstated, as the case may be) by the European Commission, the UK Information Commissioner and/or the Swiss Federal Data Protection and Information Commissioner, as applicable, on the one hand, and the United States Department of Commerce on the other hand.
1.7 “GDPR” means the European Union (“EU”) General Data Protection Regulation and all laws and regulations (including implementing laws and regulations) of the EU, the European Economic Area (“EEA”) and their Member States (“EU GDPR”), as well as Switzerland under the Swiss Federal Data Protection Act (“Swiss FDPA”) and, the United Kingdom under the United Kingdom Data Protection Act of 2018 and GDPR as incorporated into UK law (“UK GDPR”), the United Kingdom, in each case as and to the extent applicable to the Processing of Customer Personal Data under the Agreement and this DPA.
1.8 “Prohibited Data” means any data or information transmitted to Appcues other than directly through the Appcues API, as well as any data or information comprising (i) payment card or other payment method data or confidential financial information, (ii) health information, including without limitation “Protected Health Information” as that term is defined under the United States Health Insurance Portability and Accountability Act, (iii) “special categories” of personal data as described in GDPR Article 9, Paragraph 1, (iv) classified information under any applicable law, regulation or governmental authority, or (v) Personal Data of or relating to minors.
1.9 “Restricted Transfer” means (a) a transfer of Customer Personal Data from Customer or an Authorized Affiliate to Appcues or a Sub-processor, or (b) an onward transfer of Customer Personal Data from or between Appcues or a Sub-processor, in each of case (a) or (b) where such transfer is permitted under the Agreement but would be prohibited by GDPR (or by the terms of data transfer agreements put in place to address the data transfer restrictions of GDPR) in the absence of a legal transfer mechanism to be established under this DPA.
1.10 “Services” means the products and/or services provided by Appcues under the Agreement.
1.11 “Standard Contractual Clauses” means (a) where the EU GDPR applies, the standard contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“EU SCCs”); where the UK GDPR applies and the EU SCCs cannot legally be adopted as set forth in Section 8, the applicable standard data protection clauses adopted pursuant to Article 46(2)(c) or (d) of UK GDPR (“UK SCCs”); and (iii) where the Swiss FDPA applies and the EU SCCs cannot legally be adopted as set forth in Section 8 (Restricted Transfers), the applicable standard data protection clauses issued, approved or recognized by the Swiss Federal Data Protection and Information Commissioner (“Swiss SCCs”), in each case if and to the extent applicable under Section 8 and as supplemented by the information contained in Attachments 1 and 2 to this DPA (Restricted Transfers).
1.12 “Sub-processor” means any third party appointed by or on behalf of Appcues to Process Customer Personal Data on behalf of Appcues or any Appcues Affiliate.
The terms “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing”,“Processor” and “Supervisory Authority” shall have the same meaning as in the GDPR; provided, however, that for purposes of CCPA, “Data Subject” shall be synonymous with “Consumer”, and “Personal Data” shall be synonymous with “Personal Information”, as those terms are defined in CCPA, and “Supervisory Authority” shall mean the Office of the Attorney General of the State of California, or its designee. The terms “Commercial Purpose”, “Sell”, and “Service Provider” shall have the same meanings as in CCPA.
2. APPLICABILITY; PROCESSING OF PERSONAL DATA
2.1 Applicability. This DPA applies only to the extent and as of the time the Data Protection Laws apply to Customer Personal Data and the Processing of such Customer Personal Data by Appcues or a Sub-processor under the Agreement.
2.2 Authorization. Customer authorizes and requests that Appcues Process Customer Personal Data as set forth in the Agreement and this DPA for the purposes set forth below. This DPA addresses (i) the subject-matter and duration of the Processing, (ii) the nature and purpose of the Processing, and (iii) the types of Customer Personal Data, categories of Data Subjects whose Personal Data may be Processed and the obligations and rights of the parties.
2.3 Roles of the Parties. The parties acknowledge and agree that with regard to the Processing of Customer Personal Data in connection with the Agreement and this DPA, as between the parties, Customer is either the Controller or a Processor and in all cases the Data Exporter (even when acting as a Processor for a third-party Controller), Appcues is in all cases a Processor, Data Importer and Service Provider, and Appcues may engage Appcues Affiliates or other Sub-processors pursuant to the requirements set forth in this DPA.
2.4 Customer’s Obligations. Without limiting any other obligations of Customer under the Agreement or this DPA, Customer shall:
a. Comply with all obligations under Data Protection Laws applicable to it, in particular with the principles relating to processing of Personal Data and the lawfulness of Processing, including obtaining and maintaining any required consent or other authorization from Data Subjects, as well as safeguarding the rights of Data Subjects in its use of the Services.
b. Promptly notify Appcues of any change in the applicability of Data Protection Laws to Customer or Customer Personal Data that may affect the Agreement or Appcues’ ability to perform its obligations thereunder or under this DPA.
c. Serve as a single point of contact for Appcues and be solely responsible for the internal coordination, review and submission of instructions or requests of other Controllers that may permitted by Customer under the terms of the Agreement to use the Services. Appcues is discharged of any obligation to inform or notify such other Controllers when Appcues has provided applicable information or notice to Customer. Appcues is entitled to refuse any requests or instructions provided directly by a Data Controller that is not Customer.
2.5 Appcues’ Obligations. Without limiting any other obligations of Appcues under the Agreement or this DPA, Appcues shall:
a. Comply with all obligations under Data Protection Laws applicable to it.
b. Process Customer Personal Data on behalf of and in accordance with Customer’s documented instructions as further specified in the Agreement and this DPA or as otherwise required or permitted under Data Protection Laws or as required by other applicable law or judicial process. Without limiting the foregoing, Appcues will not Sell Customer Personal Data and will not Process Customer Personal Data for its own or any other purposes (including any Commercial Purpose) except as otherwise expressly agreed in writing; provided, however, that Processing of Customer Personal Data by Appcues to ensure the security, operational maintenance, analysis, evaluation or development of the Services for the benefit of its customers without disclosing any Customer Personal Data and without having any adverse impact on the technical and organizational measures implemented by Appcues to protect Customer Personal Data shall not constitute processing for Appcues’ own purposes.
c. Provide, at Customer’s request and expense, reasonable cooperation and assistance in connection with Customer’s obligations under Data Protection Laws as they relate to Customer Personal Data.
d. Without undue delay, inform Customer of any Personal Data Breach.
2.6 Purpose of Processing. Customer instructs Appcues to Process Customer Personal Data for the following purposes: (i) Processing in accordance with the Agreement and any applicable purchase order or similar document; (ii) Processing initiated by Customer’s authorized users (which may include authorized personnel of Customer’s customers) in their use of the Services in accordance with Customer’s configuration of the Services; and (iii) Processing to comply with other reasonable instructions provided by Customer via Appcues’ support service where such instructions are consistent with the terms of the Agreement and applicable Data Protection Laws. Where an instruction cannot be followed due to the architecture of the Services or generates disproportionate efforts, Customer will reimburse Appcues for the costs arising from these efforts or Appcues may terminate all or applicable parts of the affected Services.
2.7 Further Details of Processing. Further details of the Processing of Customer Personal Data, including the categories of Customer Personal Data and Data Subjects, are set forth in Attachment 1.
3 RIGHTS OF DATA SUBJECTS
3.1 Correction, Amendment and Deletion. To the extent Customer, in its use of the Services, does not have the ability to correct, amend, transfer or delete Customer Personal Data, as may be required by Data Protection Laws, Appcues shall comply with any commercially reasonable request by Customer to facilitate such actions to the extent Appcues is legally permitted to do so. Customer shall be responsible for any costs arising from Appcues’ provision of such assistance to the extent legally permitted.
3.2 Data Subject Requests. Appcues shall, to the extent legally permitted, promptly notify Customer if it receives any complaint, notice or request from a Data Subject related to that person’s Personal Data or either party’s compliance with Data Protection Laws other than if provided as an instruction as set out in Section 2.6 (Purpose of Processing). Customer acknowledges that Appcues cannot verify the identity of a Data Subject (other than Customer personnel) as to any particular Customer Personal Data without Customer’s assistance. Appcues shall not respond to any such Data Subject request except as required under Data Protection Laws, and Appcues shall provide Customer with commercially reasonable cooperation and assistance in relation to handling of a Data Subject’s request according to applicable Data Protection Laws, to the extent legally permitted and to the extent Customer cannot handle the request itself through its use of the Services. Customer shall be responsible for any costs arising from Appcues’ provision of such assistance.
4. APPCUES PERSONNEL
4.1 Confidentiality. Appcues shall treat Customer Personal Data as Confidential Information under the Agreement and shall ensure that its personnel engaged in the Processing of Customer Personal Data are informed of the confidential nature of the Customer Personal Data, have received appropriate training on their responsibilities, and have executed written confidentiality agreements. Appcues shall ensure that such confidentiality obligations survive the termination of the personnel engagement. Appcues will promptly notify Customer if any Customer Personal Data is required by law or judicial process to be disclosed by it and will cooperate with Customer regarding the manner of such disclosure (but without prejudice to any obligation to comply with any such law or judicial process).
4.2 Reliability. Appcues shall take commercially reasonable steps to ensure the reliability of any Appcues personnel engaged in the Processing of Customer Personal Data.
4.3 Limitation of Access. Appcues shall ensure that Appcues’ access to Customer Personal Data is limited to those personnel who require such access to perform the Agreement.
5. SUB-PROCESSORS
5.1 General. Except as set out in this Section 5, Appcues will not engage any Sub-processor to process Customer Personal Data without the prior written consent of the Customer.
5.2 Appointment of Sub-processors. Customer acknowledges, agrees and herewith consents that (a) Appcues Affiliates may act as Sub-processors; and (b) Appcues and Appcues Affiliates respectively may engage third-party Sub-processors in connection with the provision of the Services. A current list of Sub-processors (and the subject matter, nature and duration of applicable Processing) is available upon Customer’s request. In such cases Appcues will enter into a written agreement with the Sub-processor that will include contractual obligations substantially similar to those under this DPA relating to data protection, data security and the authorization of further sub-processors, in each case to the extent applicable.
The parties agree that copies of Sub-processor agreements provided to Customer by Appcues upon request may have all commercial information or clauses unrelated to data processing removed by Appcues beforehand.
5.3 Liability. To the extent required by applicable Data Protection laws, Appcues shall be liable for the acts and omissions of its Sub-processors to the same extent Appcues would be liable if performing the Services of each Sub-processor directly under the terms of this DPA, except as otherwise set forth in the Agreement.
5.4 Changes to List of Current Sub-processors. Appcues may remove, replace or appoint suitable and reliable further Sub-processors in its sole discretion. To the extent required under applicable Data Protection Laws Appcues will inform Customer about any changes to the list of Sub-processors in a timely fashion, which may be by announcing them to the Customer through automated notices. Customer may object to any change of Sub-processors in writing on legitimate grounds based on data protection or security concerns within 10 business days after receipt of Appcues’ notice, and, if Customer so objects, Appcues will use reasonable efforts to make available to Customer a change in the affected Services or recommend a commercially reasonable change to Customer’s configuration or use of the affected Services to avoid processing of Personal Data by the objected-to new Sub-processor without unreasonably burdening Customer. If Appcues is unable to make available such change within a reasonable period of time, which shall not exceed sixty (60) days, Customer may terminate the applicable order document(s) in respect only to those Services which cannot be provided by Appcues without the use of the objected-to new Sub-processor, by providing written notice to Appcues. Customer shall receive a refund of any prepaid fees for the period following the effective date of termination in respect of such terminated Services.
6. SECURITY
6.1 Controls for the Protection of Personal Data. Appcues shall maintain administrative, physical and technical safeguards for protection of the security, confidentiality and integrity of Customer Personal Data as set forth in the “Description of the technical and organizational security measures implemented by the data importer” as amended from time to time, a current copy of which is included as part of Attachment 1.
6.2 Third-Party Certifications and Audits. Upon Customer’s written request at reasonable intervals, Appcues shall provide a copy of Appcues’ then most recent third-party audits or certifications, as applicable, or any summaries thereof or other information that Appcues generally makes available to its customers at the time of such request evidencing Appcues’ compliance with Section 6.1. In the absence of such audits or certificates, and to the extent Appcues is required to submit to audits under applicable Data Protection Laws, Customer may, at its own cost, audit the technical and organizational measures taken by Appcues.
6.3 Audit restrictions.
(a) Unless otherwise required by Data Protection Laws, Customer’s audit right pursuant to Section 6.2 (Third-Party Certifications and Audits) is limited to once in any twelve-month period.
(b) An audit may not exceed three business days.
(c) Customer shall provide Appcues with at least 60 days’ prior written notice (unless a Supervisory Authority or applicable Data Protection Law requires a shorter notice period).
(d) Customer and Appcues shall mutually agree the scope and determine the agenda of the audit in advance. The audit shall, to the extent possible, rely on certifications and audit reports or other verifications available to confirm Appcues’ compliance with Section 6.1 and shall exclude any repetitive audits or requests for information.
(e) Customer shall conduct the audit under reasonable time, place and manner conditions and provide Appcues with a copy of the audit report and will inform Appcues without undue delay and comprehensively about any errors or irregularities related to Processing of Customer Personal Data detected during the audit.
(f) If an audit determines that Appcues is required to take corrective technical and/or organizational security measures, Appcues will at its sole discretion determine which measures are best suitable to ensure compliance and perform such measure within a reasonable time frame.
6.4 Data Protection Checks by Supervisory Authorities. Appcues will provide the Customer and Supervisory Authorities (as applicable) with all information and assistance reasonably necessary to investigate Personal Data Breaches or otherwise to demonstrate that the Services comply with Data Protection Laws to the extent that such inspections concern the Processing of Customer Personal Data under the Agreement, and will without undue delay implement the requirements of such Supervisory Authority in agreement with and at the cost of Customer.
7. RETURN AND DELETION OF PERSONAL DATA
At any time upon Customer’s request, Appcues will return to Customer all Customer Personal Data and any copies thereof or will destroy all such Customer Personal Data and certify to Customer that it has done so, except to the extent Data Protection Laws or any other applicable law or judicial process imposed upon Appcues prevents it from doing so.
8. RESTRICTED TRANSFERS
8.1 EU-US Data Privacy Framework. During any period in which (i) the EU-US Data Privacy Framework is in effect and may legally serve as a valid data transfer mechanism under GDPR, and (ii) Appcues is certified in accordance with the requirements of such Framework, such Framework shall apply to any Restricted Transfer and the subsequent Processing of Customer Personal Data in connection with the Services to the fullest extent permitted by Data Protection Laws, and Appcues will comply with such Framework in connection with such Restricted Transfer and subsequent Processing.
8.2 Standard Contractual Clauses. Solely to the extent Section 8.1 does not apply to any Restricted Transfer due to the unavailability of the EU-US Data Privacy Framework or termination of such certification, Customer (as Controller under Module Two or as the transferring Processor under Module Three, but in either case as “data exporter”) and Appcues and each Authorized Affiliate (each, as Processor under Module One or as the receiving Processor under Module Three, but in either case as “data importer”) hereby enter into the Standard Contractual Clauses in respect of such Restricted Transfer; provided, however, that:
a. The Standard Contractual Clauses shall apply only to Customer Personal Data that is transferred from the EU, the European Economic Area and their respective Member States, the United Kingdom and/or Switzerland to the United States;
b. The Standard Contractual Clauses shall come into effect hereunder upon the commencement of the applicable Restricted Transfer; and
c. The terms and applicability of certain sections of the Standard Contractual Clauses shall be as follows:
8.3 The parties agree that neither Section 8.1 nor Section 8.2 (if applicable) shall apply to a Restricted Transfer unless the effect of such Section, together with other reasonably practicable compliance steps undertaken by Appcues (which, for the avoidance of doubt, do not include obtaining consents from Data Subjects), is to allow the Restricted Transfer to take place without breach of applicable Data Protection Law.
9. GENERAL TERMS
9.1 Governing Law and Jurisdiction. Without prejudice to the Standard Contractual Causes: (i) the parties to this DPA hereby submit to the choice of jurisdiction stipulated in the Agreement with respect to any disputes or claims howsoever arising under this DPA, including disputes regarding its existence, validity or termination or the consequences of its nullity; and (ii) this DPA and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the Agreement.
9.2 Order of Precedence. Nothing in this DPA reduces Appcues’ or Customer’s (or Customer Affiliates or their respective users’) obligations under the Agreement or Applicable Data Protection Laws in relation to the protection of Customer Personal Data or permits any party to Process (or permit the Processing of) Customer Personal Data in a manner which is prohibited by the Agreement. In the event of any conflict or inconsistency between this DPA and the EU-US Data Privacy Framework or Standard Contractual Clauses, as applicable pursuant to Section 8, the EU-US Data Privacy Framework or Standard Contractual Clauses, as applicable, shall prevail.
9.3 Changed in Data Protection Laws. Either party may propose variations to this DPA if and as they may apply to a particular Data Protection Law, which such party believes in good faith are required as a result of any change in, or decision of a competent authority under, that Data Protection law. In the event of such a proposal, the parties agree to work together in good faith to implement mutually agreed changes. Customer shall not unreasonably withhold or delay agreement to any consequential variations to this DPA proposed by Appcues to protect Appcues and its Affiliates and Sub-processors against additional risks associated with such changes.
9.4 Severance. Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
ATTACHMENT 1
Certain Details of Processing of Customer Personal Data
Subject matter and duration of the Processing of Customer Personal Data
The subject matter and duration of the Processing of the Customer Personal Data are set out in the Agreement (including ordering documents) and this DPA.
The nature and purpose of the Processing of Customer Personal Data
The nature and purpose of the Processing of the Customer Personal Data are set out in the Agreement and this DPA.
The types of Customer Personal Data to be transferred and Processed
Customer may submit Customer Personal Data (excluding special categories of data) to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:
Sensitive data to be transferred
None.
The categories of Data Subjects to whom the Customer Personal Data relates
Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer its sole discretion, and which may include, but is not limited to the following categories of Data Subjects:
The period for which the Customer Personal Data will be retained
The period for which Customer Personal Data will be retained is set out in the Agreement and this DPA.
The obligations and rights of Customer and Customer Affiliates
The obligations and rights of Customer and Authorized Affiliates are set out in the Agreement and this DPA.
Description of the technical and organisational security measures
Within Appcues’ area of responsibility, and taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Appcues has in relation to the Customer Personal Data implemented will maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk. These include administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Customer Personal Data including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss, alteration, disclosure or access of or to Customer Personal Data. Appcues will not materially decrease the overall security of the Services during its provision of such Services to Customer.
To the extent that Appcues is certified to the following standards and/or controls, it shall adhere to and maintain such certification:
Statement on Standards for Attestation Engagements (SSAE) No. 16, System and Organization Controls for Service Organizations: Trust Services Criteria Type 2 report (“SOC 2, Type 2”).
To demonstrate its commitment to trust and security, Appcues obtains relevant security certifications and undergoes regular testing and audits to ensure continued compliance. Appcues has completed a SOC 2 Type 2 audit that included Trust Services Principles of Security, Availability, Confidentiality with no exceptions. Our services undergo 3rd-party penetration testing on an annual basis. All of Appcues’ data stores are backed up at least once every 24 hours. All backup data is encrypted. Appcues uses Amazon Web Services’ High Availability feature that automatically provisions and maintains a synchronous standby replica in a different Availability Zone. Appcues is committed to the privacy of information. We use industry-leading encryption to protect all external traffic in transit (via HTTPS/TLS) and at rest (using AES-256 and an automated key rotation system).
ATTACHMENT 2
Annexes to the Standard Contractual Clauses
ANNEX I
A. LIST OF PARTIES
MODULE TWO: Transfer controller to processor
MODULE THREE: Transfer processor to processor
Data exporter(s):
The data exporter is the Customer identified in the Agreement or the applicable order documents. Customer’s contact details (and that of its data protection officer, if any), role and and/or representative in the European Union, if any, are set forth in the applicable order documents.
Data importer(s):
The data importer is Appcues, and its role is that of processor (whether the data exporter is a controller or a processor). Appcues’ contact details (and that of its data protection officer, if any) and/or representatives in the European Union, if any, are set forth in the Agreement or applicable order documents.
B. DESCRIPTION OF TRANSFER
MODULE TWO: Transfer controller to processor
MODULE THREE: Transfer processor to processor
The description of the transfer is set forth in Attachment 1 to the DPA.
C. COMPETENT SUPERVISORY AUTHORITY
MODULE TWO: Transfer controller to processor
MODULE THREE: Transfer processor to processor
The applicable Supervisory Authority shall be determined pursuant to Section 8.2(c) of the DPA.
ANNEX II - TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
MODULE TWO: Transfer controller to processor
MODULE THREE: Transfer processor to processor
The technical and organisational measures implemented by the data importer are set forth on Attachment 1 to the DPA.
ANNEX III - LIST OF SUB-PROCESSORS
MODULE TWO: Transfer controller to processor
MODULE THREE: Transfer processor to processor
Please see Section 5 and Section 8.2(c) of the DPA.